We had a packed house for our Cyber Time: Crash Course for Directors and Officers event this week at the Bennett Jones Calgary office. The half-day session covered current cyber threats facing businesses today, litigation exposure from a cyber incident involving personal information or confidential business information, regulatory compliance obligations regarding the protection of personal information, and insurance solutions to mitigate certain risks associated with cyberattacks. Our panel of experts included Ruth Promislow and Michael Whitt of Bennett Jones, Jay Heidecker of Seekinto and Dan Lewis of Arthur J. Gallagher Canada Limited.
The consistent theme in all of the presentations involved the need to be proactive, rather than simply reactive. Being proactive makes good business sense in that it can reduce costs incurred in responding to an attack. It also can reduce litigation risk exposure from an attack or the response to the breach. Additionally, regulatory obligations require a proactive approach. Cyber insurance can be a key component to reducing risk exposure. However, it does not cover all forms of risk and it does not replace the need (and obligation) to address risk and vulnerabilities before an attack.
The key questions identified for directors and officers to ask included the following:
-
What information do we have?
-
What is the sensitivity of this information?
-
How is the information stored?
-
What information do we retain and what do we dispose of?
-
What safeguards are in place to protect the information?
-
What is the likelihood of damage occurring and the potential severity?
-
What jurisdictions are we potentially subject to?
-
Are we in compliance with regulatory obligations?
-
Have we protected ourselves against third-party risks?
-
Do we have a breach response plan?
-
Have we tested our breach response plan?
-
Are we confident that in the face of an incident, we can avoid creating a paper trail that could be used against us?
-
Who do we have on speed dial in the event of a breach?
